PYSEC-2022-43059
Vulnerability from pysec - Published: 2022-06-23 17:15 - Updated: 2026-06-10 16:50
VLAI
Details
AIOHTTP 3.8.1 can report a "ValueError: Invalid IPv6 URL" outcome, which can lead to a Denial of Service (DoS). NOTE: multiple third parties dispute this issue because there is no example of a context in which denial of service would occur, and many common contexts have exception handing in the calling application
Severity
5.5 (Medium)
Impacted products
| Name | purl | aiohttp | pkg:pypi/aiohttp |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "aiohttp",
"purl": "pkg:pypi/aiohttp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.1",
"0.10.0",
"0.10.1",
"0.10.2",
"0.11.0",
"0.12.0",
"0.13.0",
"0.13.1",
"0.14.0",
"0.14.1",
"0.14.2",
"0.14.3",
"0.14.4",
"0.15.0",
"0.15.1",
"0.15.2",
"0.15.3",
"0.16.0",
"0.16.1",
"0.16.2",
"0.16.3",
"0.16.4",
"0.16.5",
"0.16.6",
"0.17.0",
"0.17.1",
"0.17.2",
"0.17.3",
"0.17.4",
"0.18.0",
"0.18.1",
"0.18.2",
"0.18.3",
"0.18.4",
"0.19.0",
"0.2",
"0.20.0",
"0.20.1",
"0.20.2",
"0.21.0",
"0.21.1",
"0.21.2",
"0.21.4",
"0.21.5",
"0.21.6",
"0.22.0",
"0.22.0a0",
"0.22.0b0",
"0.22.0b1",
"0.22.0b2",
"0.22.0b3",
"0.22.0b4",
"0.22.0b5",
"0.22.0b6",
"0.22.1",
"0.22.2",
"0.22.3",
"0.22.4",
"0.22.5",
"0.3",
"0.4",
"0.4.1",
"0.4.2",
"0.4.3",
"0.4.4",
"0.5.0",
"0.6.0",
"0.6.1",
"0.6.2",
"0.6.3",
"0.6.4",
"0.6.5",
"0.7.0",
"0.7.1",
"0.7.2",
"0.7.3",
"0.8.0",
"0.8.1",
"0.8.2",
"0.8.3",
"0.8.4",
"0.9.0",
"0.9.1",
"0.9.2",
"0.9.3",
"1.0.0",
"1.0.1",
"1.0.2",
"1.0.3",
"1.0.5",
"1.1.0",
"1.1.1",
"1.1.2",
"1.1.3",
"1.1.4",
"1.1.5",
"1.1.6",
"1.2.0",
"1.3.0",
"1.3.1",
"1.3.2",
"1.3.3",
"1.3.4",
"1.3.5",
"2.0.0",
"2.0.0rc1",
"2.0.1",
"2.0.2",
"2.0.3",
"2.0.4",
"2.0.5",
"2.0.6",
"2.0.7",
"2.1.0",
"2.2.0",
"2.2.1",
"2.2.2",
"2.2.3",
"2.2.4",
"2.2.5",
"2.3.0",
"2.3.0a1",
"2.3.0a2",
"2.3.0a3",
"2.3.0a4",
"2.3.1",
"2.3.10",
"2.3.1a1",
"2.3.2",
"2.3.2b2",
"2.3.2b3",
"2.3.3",
"2.3.4",
"2.3.5",
"2.3.6",
"2.3.7",
"2.3.8",
"2.3.9",
"3.0.0",
"3.0.0b0",
"3.0.0b1",
"3.0.0b2",
"3.0.0b3",
"3.0.0b4",
"3.0.1",
"3.0.2",
"3.0.3",
"3.0.4",
"3.0.5",
"3.0.6",
"3.0.7",
"3.0.8",
"3.0.9",
"3.1.0",
"3.1.1",
"3.1.2",
"3.1.3",
"3.2.0",
"3.2.1",
"3.3.0",
"3.3.0a0",
"3.3.1",
"3.3.2",
"3.3.2a0",
"3.4.0",
"3.4.0a0",
"3.4.0a3",
"3.4.0b1",
"3.4.0b2",
"3.4.1",
"3.4.2",
"3.4.3",
"3.4.4",
"3.5.0",
"3.5.0a1",
"3.5.0b1",
"3.5.0b2",
"3.5.0b3",
"3.5.1",
"3.5.2",
"3.5.3",
"3.5.4",
"3.6.0",
"3.6.0a0",
"3.6.0a1",
"3.6.0a11",
"3.6.0a12",
"3.6.0a2",
"3.6.0a3",
"3.6.0a4",
"3.6.0a5",
"3.6.0a6",
"3.6.0a7",
"3.6.0a8",
"3.6.0a9",
"3.6.0b0",
"3.6.1",
"3.6.1b3",
"3.6.1b4",
"3.6.2",
"3.6.2a0",
"3.6.2a1",
"3.6.2a2",
"3.6.3",
"3.7.0",
"3.7.0b0",
"3.7.0b1",
"3.7.1",
"3.7.2",
"3.7.3",
"3.7.4",
"3.7.4.post0",
"3.8.0",
"3.8.0a7",
"3.8.0b0",
"3.8.1",
"3.8.2",
"3.8.3",
"3.8.4",
"3.8.5",
"3.8.6",
"3.9.0b0",
"3.9.0b1",
"4.0.0a0",
"4.0.0a1",
"3.9.0rc0",
"3.9.0",
"3.9.1",
"3.9.2",
"3.9.3",
"3.9.4rc0",
"3.10.0",
"3.10.0b1",
"3.10.0rc0",
"3.10.1",
"3.10.10",
"3.10.11",
"3.10.11rc0",
"3.10.2",
"3.10.3",
"3.10.4",
"3.10.5",
"3.10.6",
"3.10.6rc0",
"3.10.6rc1",
"3.10.6rc2",
"3.10.7",
"3.10.8",
"3.10.9",
"3.11.0",
"3.11.0b0",
"3.11.0b1",
"3.11.0b2",
"3.11.0b3",
"3.11.0b4",
"3.11.0b5",
"3.11.0rc0",
"3.11.0rc1",
"3.11.0rc2",
"3.11.1",
"3.11.10",
"3.11.11",
"3.11.12",
"3.11.13",
"3.11.14",
"3.11.15",
"3.11.16",
"3.11.17",
"3.11.18",
"3.11.2",
"3.11.3",
"3.11.4",
"3.11.5",
"3.11.6",
"3.11.7",
"3.11.8",
"3.11.9",
"3.12.0",
"3.12.0b0",
"3.12.0b1",
"3.12.0b2",
"3.12.0b3",
"3.12.0rc0",
"3.12.0rc1",
"3.12.1",
"3.12.10",
"3.12.11",
"3.12.12",
"3.12.13",
"3.12.14",
"3.12.15",
"3.12.1rc0",
"3.12.2",
"3.12.3",
"3.12.4",
"3.12.6",
"3.12.7",
"3.12.7rc0",
"3.12.8",
"3.12.9",
"3.13.0",
"3.13.1",
"3.13.2",
"3.13.3",
"3.13.4",
"3.13.5",
"3.14.0",
"3.14.1",
"3.9.4",
"3.9.5"
]
}
],
"aliases": [
"CVE-2022-33124",
"GHSA-rwqr-c348-m5wr"
],
"details": "AIOHTTP 3.8.1 can report a \"ValueError: Invalid IPv6 URL\" outcome, which can lead to a Denial of Service (DoS). NOTE: multiple third parties dispute this issue because there is no example of a context in which denial of service would occur, and many common contexts have exception handing in the calling application",
"id": "PYSEC-2022-43059",
"modified": "2026-06-10T16:50:57.299724Z",
"published": "2022-06-23T17:15:00Z",
"references": [
{
"type": "EVIDENCE",
"url": "https://github.com/aio-libs/aiohttp/issues/6772"
},
{
"type": "REPORT",
"url": "https://github.com/aio-libs/aiohttp/issues/6772"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-rwqr-c348-m5wr"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"withdrawn": "2023-11-08T00:54:24Z"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…